Don't put the signature information in the token, put it in a separate component (an envelope) that describes how the token is either signed or encrypted. See discussion from June:
http://www.ietf.org/mail-archive/web/oauth/current/msg03211.html On 2010-09-26, at 9:20 PM, Mike Jones wrote: > I’d be open to a proposal for also supporting encryption. The draft was > intended to be a starting point for productive discussion – not a finished > product. > > Your thoughts? > > -- Mike > > From: Dick Hardt [mailto:dick.ha...@gmail.com] > Sent: Sunday, September 26, 2010 9:17 PM > To: Mike Jones > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Specification Draft > > Did you intentionally decide not to support encrypting the token? > > On 2010-09-23, at 5:22 PM, Mike Jones wrote: > > > Recognizing that there is substantial interest in representing sets of claims > in JSON tokens, Yaron Goland and I have put together a draft JSON Web Token > (JWT) spec for that purpose. > > To answer the obvious question, while this was produced independently of > Dirk’s JSON token proposal, both of us agree that we should come up with a > unified spec. Consider this an additional point in the possible design space > from which to start discussions and drive consensus. (If you read the two > proposals, I think you’ll find that there’s already a lot in common, which is > great.) > > Thanks to those of you who have already given us feedback to improve the > draft prior to this point. > > Cheers, > -- Mike > > <jwt.html><jwt.xml>_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
